Slashdot Mirror


Cryptographers Find Fault With Palladium

FrzrBrn writes "Whitfield Diffie and Ronald Rivest raised concerns about Microsoft's Next-Generation Secure Computing Base (formerly Palladium) at the RSA Conference in San Francisco on Monday. They are (naturally) concerned about vendor lock-in and having computers turned against their owners. See the story at EE Times."

21 of 343 comments (clear)

  1. Re:Privacy by neptuneb1 · · Score: 5, Insightful

    "I can't wait for the distributed Palladium cracking project!"

    You're going to be waiting for a while. With M$'s army of lawyers, any attempt to organize such a project will quickly be shot down by any one of a number of current laws. Let's see how many we can name....

    --
    No.
  2. Re:Privacy by TeknoDragon · · Score: 4, Insightful

    For every Napster there are a dozen gnutella, hotline, audiogalaxy's... for each of those there's likely to be a clandestine effort to do the same thing.

    Besides... we all know there will be someone M$ won't be able to stop.

  3. The bit I like by boy_of_the_hash · · Score: 5, Insightful
    NGSCB also requires secure channels between a keyboard and main memory and between a display interface and a graphics chip and its frame buffer.

    Which means it will only work on approved hardware - guess who profits from approving the hardware and drivers? Why would I need a secure framebuffer exactly when I'm already in full control of the code executed on my machine?

  4. It's about who "owns" your ID by feepcreature · · Score: 5, Insightful
    A central objection from Diffie & Rivest seems to be that under Palladium, Microsoft will own and control your ID - or at least what can interact securely with "your" secure Palladium device.

    To understand why this is not a good thing, imagine if a commercial company had the monopoly of passport and driving license production, and were able to prevent you from using the ID they issued to verify who you were except in "microsoft approved" shops and venues (or countries).

    IDs and trust systems should be standards based, not proprietary. They should be secure, and openly peer-reviewed or audited. And the ID should be under the control of the person being identified (or at least issued by a "neutral" government body, as passports are now).

    But I've just started thinking about this... so I might change my mind some more. Would that make me a bad slashdotter?

    --
    Paul "Say no to feeping creaturism"
  5. what is the fault? by shird · · Score: 4, Insightful

    From the title, you would think there is some technical flaw in palladium, but the article just goes on about some thing about not having control of your PC etc...

    Im not saying there isnt a technical flaw, just /. spreads propaganda through misleading comments.

    --
    I.O.U One Sig.
    1. Re:what is the fault? by Slowping · · Score: 4, Insightful
      From the title, you would think there is some technical flaw in palladium, but the article just goes on about some thing about not having control of your PC etc...

      I'd say that the owner not having control of their own keys is a major technical flaw of "trusted computing".

      --
      (\(\
      (^.^)
      (")")
      *beware the cute-bunny virus
  6. Suprised MS isn't cyring "conflict of interest" by pete_wilson · · Score: 5, Insightful
    I'm suprised that Microsoft isn't tyring to cloud the issue by talking about the associations of the persons who gave the talk.

    Wittfield Diffie is an engineer at Sun Microsystems, one of the only corporations that can be considered a Microsoft competitor. Ron Rivest is a professor as his day job, but gets quite a bit of cash from RSA, and Microsoft isn't using any of the code that RSA provides (BSAFE, etc) in Paladium, so that's a big chunk of change that won't be coming his way.

    We here on slashdot may realize that Rivest and Diffie are actually quite excellent individuals in their field, but these kinds of conflicts of interest are frequently what will be pulled out to counter an argument, rather than working from the facts themselves.

  7. Misleading headline by BlueFall · · Score: 4, Insightful

    The headline of this story is misleading. Some people disagree philosophically with Palladium's goals, not its technical merits. It just happens that these people are famous cryptographers. At the moment, the technical details seem sparse, so we'll just have to wait until they are released (if ever) to see if the goals that are mentioned are actually met.

  8. Re: Better they find fault with it now, by Black+Parrot · · Score: 5, Insightful


    > And now we're supposed to trust 'Trusted Computing'?

    "Trusted Computing" is supposed to fix it where content vendors can trust us.

    Or rather, trust our computers.

    --
    Sheesh, evil *and* a jerk. -- Jade
  9. Not owning your computer eh? by scourfish · · Score: 5, Insightful

    It's not much of a change from now: you don't own your copies of windows nor do you own your XBOX

  10. Approved hardware by overshoot · · Score: 4, Insightful
    Why would I need a secure framebuffer exactly when I'm already in full control of the code executed on my machine?

    You missed Part Two: you can't get your hardware approved if you don't agree to keep the operational specs under lock & key. So, in order to sell display devices to the monopoly market, they have to be Microsoft-only display devices. Et cetera.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  11. Re:Cryptographers Find Fault With Palladium by offpath3 · · Score: 4, Insightful

    They found fault with the way the computer has more control than the user. They didn't find a crytographic fault in any of the protocols.

  12. Re:This sums it up by zurab · · Score: 5, Insightful

    From the article: The Microsoft approach "lends itself to market domination..."

    Does anyone think Microsoft would have it any other way?


    DOJ sues MS for violating U.S. antitrust laws. Courts whole-heartedly agree and rule that MS is guilty. Courts do virtually nothing to protect consumers and tech industry, and literally nothing to punish MS. Courts do not implement any *preventive* measures against MS - as required by the law. MS goes on breaking the same law again and again - nobody pays any attention. MS widely announces its plans (as a marketing campaign) to break the same law again in many-fold worse than before - Palladium - nobody cares.

    MS has literally and (seems) legally bribed all - legislative, executive, and judicial - branches of government in order to escape and be exempt from the law, even after it has been convicted of violating it. At some point, the government corruption needs to end, but noone knows how; in the information age where most of the "information" is spoon-fed by corporations that are part of the corruption scheme, the masses will never be on the reform side.

  13. Re:Laws of Robotics? by archnerd · · Score: 4, Insightful

    The exact laws of robotics are as follows:

    1. A robot may not injure a human being, or, through inaction, allow a human being to come to harm.
    2. A robot must obey orders given it by human beings except when such orders would conflict with the First law.
    3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

    Palladium violates all three. A user could be severely inconvenienced by it, it clearly will refuse to obey the user, and it tempts the user to take a sledgehammer to it.

    In the Foundation series a "zeroeth law" is introduced which states that a robot must not harm humanity, or, through inaction, allow humanity to come to harm. Palladium screws that up too.

  14. Monopoly by Trevin · · Score: 4, Insightful
    They are (naturally) concerned about vendor lock-in
    Isn't this the real reason Microsoft started developing Palladium in the first place?
  15. Re:The alleged benefit of the CBDTPA, Pd, etc. by Waffle+Iron · · Score: 4, Insightful
    The excuse given for the CBDTPA, which may apply to Pd as well, is that more authors would be willing to publish works in a digital restrictions management system than in a system that grants all fair use rights by default.

    Many people throughout history have made great sacrifices to ensure our freedom. Now it seems there are some people willing sell everyone's freedom to use a general-purpose computing device in exchange for a few extra TV shows, video games and pop songs.

    I say if the price of freedom is fewer published works, so be it. We're already wallowing in an ocean of media crap anyway; it's not even a big price to pay.

  16. Re:Privacy by meowsqueak · · Score: 5, Insightful

    In the USA and perhaps a few other countries perhaps - the rest of the world isn't drowning itself in stupid laws quite like the USA is at the moment. Microsoft has a long legal reach but it doesn't extend over the entire planet.

    I can imagine 7 years or more down the track, when innovation has been finally eradicated from the US economic landscape, India (for example) will have observed and learned from the USA's mistakes, and become the largest economic superpower on Earth.

    Once again, it makes me feel all warm and fuzzy inside to know deep in my heart that no matter how you look at it, I don't live or work in the USA :)

  17. You might be missing a point by Righteous+Indignatio · · Score: 4, Insightful

    In spite of the imagined throngs of doe-eyed deer-in-the-headlights otherwise thoughtless "consumers" out there, it's going to come to pass that Microsoft and their greed will overextend itself. The lock-out we-control-your-security methodology will only work until even the more moronic people have been bitten by it. Perhaps too late for their immediate circumstances, even the most ignorant and go-with-the-flow types will realize they have to leave this Microsoft environment. I believe what we are seeing is two things (a) desperate paranoia-fueled greed and (b) the beginning of the end for anyone so foolish to be so exclusive to the world's computing community. Here on this forum, I keep hearing people talking in little boxes about Intel, Microsoft, AMD, Linux, PCs and all of this shit in this little world we have encased ourselves into. I used to be one of those people. While now I'm working much of my time in Linux (although Windows world stuff still pays some of the bills and mainframes pay the rest) I have gone to a point from being immersed in the Microsoft environments to now being largely outside of them. People? Notice that we are the majority. And we can choose whether or not to be consumer cattle thoughtlessly following the loudest noise. We can choose our own directions. But mental and philosophical freedom is hard work. Not going with the large groups of clueless cattle to slaughter means a lot of effort. If this philosophy of "security" is a bad thing, and I sincerely believe "Palladium" is a very bad thing, don't follow it. Just. Don't. It will have some nice bells and whistles, but recognize a gilded cage and a machine under perpetual remote control and remote authorization for what it is. Don't sit there whining about how Windows 98 or Linux is your favorite OS of choice--please get your egos out of this and start working on some of the deeper principles of your liberty and facility with your own data on your own computers. If it means developing GPL-equivalent hardware, open design microprocessors, and a true open and truly standard machine architecture, done somewhere in the world, then accept this as the direction. Locking people out means locking yourself from them. We have a greedy minority of producers locking out and constricting a vast majority of consumers. Linux demonstrates that we as people can produce, but most of us are in the software or user spheres. People? If they are so intent on locking us out with these obviously evil "security" schemes--let them! But don't let yourself ever be locked in. Linux and OSS is one way to freedom (like Richard Stallman's idea of Freedom as liberty--not lack of cost or price). But perhaps leaving Microsoft, Intel, "Wintel", and going to newer, more open and honest architectures is the way to go. Wintel is rotting and dying. Linux and it's philosophies of openness will succeed because they allow people freedom and the proliferation of new and open idea. Wintel is like the dinosaurs in a sense of being widespread and formidable in the small computer market. This chapter of overreaching greed is the first few pebbles of the beginning of a meteoric shift. Look for freedom and reject this and all attempts to hijack and tyrannize computing.

  18. Re:Laws of Robotics? by TCaptain · · Score: 4, Insightful

    A Palladium-enabled computer prevents untrusted code from trying to destroy it.

    God some people just don't get this...Palladium will NOT stop most of the viruses and worms out there for the simple reason that a virus like code red or melissa or "I love you" does NOT run untrusted code...its a macro run by an application like OUTLOOK...in other words a TRUSTED application.

    Palladium is NOT intended to make OUR computers safer from attack, as they are trying to tell you...Palladium exists to give THEM control over OUR hardware...period.

    --
    "I'm not a procrastinator, I'm temporally challenged"
  19. Re:Questions: by spitzak · · Score: 4, Insightful
    Palladium has absolutely ZERO effect on any end-user security. If the end user has a desire to be secure and has control of the machine Palladium adds NOTHING, NADA, ZILCH. All talk about "security" is a smokescreen.

    Palladium cannot stop viruses at all unless all "trusted" programs that could be told to execute the virus instructions actually can't do anything, which would mean the computer is useless. Outlook viruses work by doing things that the "trusted" program Outlook thinks are perfectly benign, the actions are harmful either due to bugs in Outlook or mistakes in it's design. All palladium does is "sign" the bugs in programs and then claim they are "trusted" as though that magically made the bugs go away. It provides no more help than the kernel-mode bit that is already in the hardware and is used by Linux and Windows and does not seem to have stopped viruses on either one of them.

    The purpose of Palladium is for Digital Restrictions Management (DRM). There is NO other reason for Palladium. NONE. It's purpose is to make sure that certain programs (everything not written by MicroSoft) does not run on the machine.

    The "target" audience is MicroSoft themselves. They are trying to make a machine that is acceptable for playing digital content, with a design that guarantees that alternative operating systems are totally unable to play this content. Far more reliable DRM systems (hardware cards) that would work under Linux are discouraged because of the bogus promises of Palladium.

  20. Who owns you? by 0xB00F · · Score: 4, Insightful

    From TCPA / Palladium / NGCSB / TCG Frequently Asked Questions:

    TCPA stands for the Trusted Computing Platform Alliance, an initiative led by Intel. Their stated goal is `a new computing platform for the next century that will provide for improved trust in the PC platform.' Palladium is software that Microsoft says it plans to incorporate in future versions of Windows; it will build on the TCPA hardware, and will add some extra features.

    This means that this whole Palladium/TCPA monstrosity requires support from both hardware and software. It is entirely up to the end-user whether or not he wants this. However, senator Fritz Hollings of South Carolina is working on getting a law that will make TCPA mandatory, see here. Until such time that this bill becomes the law:

    1. Don't buy the hardware. Unless there is a compelling reason to do so. Well if you are working for the military then go knock yourself out.

    2. Don't buy^H^H^H lease/rent/license/WTF the software. There is no compelling reason to do so.

    It will only be compelling to use Palladium/TCPA software and hardware only if it becomes illegal not to use it.

    Secure computing is not the aim of Palladium/TCPA. Its aim is to provide a way for software peddlers like Microsoft and content pushers like Disney to monitor what you run on your computer and assert control over your computer. In the long run, it will provide them a way to assert control over you.

    Secure computing can be achieved through a combination of secure computing practices, secure operating systems running secure applications, and plain-old common sense.

    If Intel, Microsoft and their cohorts push through with this stupidity it could spell the end for them. Just think, why in the hell would I want to run this sort of crap? Unless it's mandated by law, there's no reason for me to do so. With the recent slew of news about stupid laws being implemented in the U.S. it's a real possibility.

    0xB00F, stands in front of Bill Gates, raises hand, extends middle finger.